From aeae6cc29099c4bea84bbfd006615104ba719b1e Mon Sep 17 00:00:00 2001 From: Rodney Ewing Date: Mon, 8 Jul 2013 17:00:37 -0700 Subject: [PATCH] moved forgot pass to basic_auth plugin --- mediagoblin/auth/forms.py | 37 ---- mediagoblin/auth/routing.py | 7 +- mediagoblin/auth/tools.py | 37 +--- mediagoblin/auth/views.py | 161 ---------------- mediagoblin/plugins/basic_auth/__init__.py | 18 ++ mediagoblin/plugins/basic_auth/forms.py | 17 ++ .../plugins/basic_auth}/change_fp.html | 0 .../plugins/basic_auth}/forgot_password.html | 0 .../basic_auth}/fp_verification_email.txt | 0 mediagoblin/plugins/basic_auth/tools.py | 33 ++++ mediagoblin/plugins/basic_auth/views.py | 180 ++++++++++++++++++ 11 files changed, 253 insertions(+), 237 deletions(-) delete mode 100644 mediagoblin/auth/forms.py rename mediagoblin/{templates/mediagoblin/auth => plugins/basic_auth/templates/mediagoblin/plugins/basic_auth}/change_fp.html (100%) rename mediagoblin/{templates/mediagoblin/auth => plugins/basic_auth/templates/mediagoblin/plugins/basic_auth}/forgot_password.html (100%) rename mediagoblin/{templates/mediagoblin/auth => plugins/basic_auth/templates/mediagoblin/plugins/basic_auth}/fp_verification_email.txt (100%) create mode 100644 mediagoblin/plugins/basic_auth/views.py diff --git a/mediagoblin/auth/forms.py b/mediagoblin/auth/forms.py deleted file mode 100644 index 865502e9..00000000 --- a/mediagoblin/auth/forms.py +++ /dev/null @@ -1,37 +0,0 @@ -# GNU MediaGoblin -- federated, autonomous media hosting -# Copyright (C) 2011, 2012 MediaGoblin contributors. See AUTHORS. -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU Affero General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU Affero General Public License for more details. -# -# You should have received a copy of the GNU Affero General Public License -# along with this program. If not, see . - -import wtforms - -from mediagoblin.tools.translate import lazy_pass_to_ugettext as _ -from mediagoblin.auth.tools import normalize_user_or_email_field - - -class ForgotPassForm(wtforms.Form): - username = wtforms.TextField( - _('Username or email'), - [wtforms.validators.Required(), - normalize_user_or_email_field()]) - - -class ChangePassForm(wtforms.Form): - password = wtforms.PasswordField( - 'Password', - [wtforms.validators.Required(), - wtforms.validators.Length(min=5, max=1024)]) - token = wtforms.HiddenField( - '', - [wtforms.validators.Required()]) diff --git a/mediagoblin/auth/routing.py b/mediagoblin/auth/routing.py index 2a6abb47..7a688a49 100644 --- a/mediagoblin/auth/routing.py +++ b/mediagoblin/auth/routing.py @@ -25,9 +25,4 @@ auth_routes = [ ('mediagoblin.auth.verify_email', '/verify_email/', 'mediagoblin.auth.views:verify_email'), ('mediagoblin.auth.resend_verification', '/resend_verification/', - 'mediagoblin.auth.views:resend_activation'), - ('mediagoblin.auth.forgot_password', '/forgot_password/', - 'mediagoblin.auth.views:forgot_password'), - ('mediagoblin.auth.verify_forgot_password', - '/forgot_password/verify/', - 'mediagoblin.auth.views:verify_forgot_password')] + 'mediagoblin.auth.views:resend_activation')] diff --git a/mediagoblin/auth/tools.py b/mediagoblin/auth/tools.py index 579775ff..20c1f5c2 100644 --- a/mediagoblin/auth/tools.py +++ b/mediagoblin/auth/tools.py @@ -101,38 +101,6 @@ def send_verification_email(user, request, email=None, rendered_email) -EMAIL_FP_VERIFICATION_TEMPLATE = ( - u"{uri}?" - u"token={fp_verification_key}") - - -def send_fp_verification_email(user, request): - """ - Send the verification email to users to change their password. - - Args: - - user: a user object - - request: the request - """ - fp_verification_key = get_timed_signer_url('mail_verification_token') \ - .dumps(user.id) - - rendered_email = render_template( - request, 'mediagoblin/auth/fp_verification_email.txt', - {'username': user.username, - 'verification_url': EMAIL_FP_VERIFICATION_TEMPLATE.format( - uri=request.urlgen('mediagoblin.auth.verify_forgot_password', - qualified=True), - fp_verification_key=fp_verification_key)}) - - # TODO: There is no error handling in place - send_email( - mg_globals.app_config['email_sender_address'], - [user.email], - 'GNU MediaGoblin - Change forgotten password!', - rendered_email) - - def basic_extra_validation(register_form, *args): users_with_username = User.query.filter_by( username=register_form.username.data).count() @@ -196,7 +164,10 @@ def check_auth_enabled(): def no_auth_logout(request): - """Log out the user if authentication_disabled, but don't delete the messages""" + """ + Log out the user if no authentication is enabled, but don't delete + the messages + """ if not mg_globals.app.auth and 'user_id' in request.session: del request.session['user_id'] request.session.save() diff --git a/mediagoblin/auth/views.py b/mediagoblin/auth/views.py index dd71d5c1..285bddf6 100644 --- a/mediagoblin/auth/views.py +++ b/mediagoblin/auth/views.py @@ -24,11 +24,8 @@ from mediagoblin.tools.response import render_to_response, redirect, render_404 from mediagoblin.tools.translate import pass_to_ugettext as _ from mediagoblin.tools.mail import email_debug_message from mediagoblin.tools.pluginapi import hook_handle -from mediagoblin.auth import forms as auth_forms from mediagoblin.auth.tools import (send_verification_email, register_user, - send_fp_verification_email, check_login_simple) -from mediagoblin import auth @allow_registration @@ -204,161 +201,3 @@ def resend_activation(request): return redirect( request, 'mediagoblin.user_pages.user_home', user=request.user.username) - - -def forgot_password(request): - """ - Forgot password view - - Sends an email with an url to renew forgotten password. - Use GET querystring parameter 'username' to pre-populate the input field - """ - if not 'pass_auth' in request.template_env.globals: - return redirect(request, 'index') - - fp_form = auth_forms.ForgotPassForm(request.form, - username=request.args.get('username')) - - if not (request.method == 'POST' and fp_form.validate()): - # Either GET request, or invalid form submitted. Display the template - return render_to_response(request, - 'mediagoblin/auth/forgot_password.html', {'fp_form': fp_form,}) - - # If we are here: method == POST and form is valid. username casing - # has been sanitized. Store if a user was found by email. We should - # not reveal if the operation was successful then as we don't want to - # leak if an email address exists in the system. - found_by_email = '@' in fp_form.username.data - - if found_by_email: - user = User.query.filter_by( - email = fp_form.username.data).first() - # Don't reveal success in case the lookup happened by email address. - success_message=_("If that email address (case sensitive!) is " - "registered an email has been sent with instructions " - "on how to change your password.") - - else: # found by username - user = User.query.filter_by( - username = fp_form.username.data).first() - - if user is None: - messages.add_message(request, - messages.WARNING, - _("Couldn't find someone with that username.")) - return redirect(request, 'mediagoblin.auth.forgot_password') - - success_message=_("An email has been sent with instructions " - "on how to change your password.") - - if user and not(user.email_verified and user.status == 'active'): - # Don't send reminder because user is inactive or has no verified email - messages.add_message(request, - messages.WARNING, - _("Could not send password recovery email as your username is in" - "active or your account's email address has not been verified.")) - - return redirect(request, 'mediagoblin.user_pages.user_home', - user=user.username) - - # SUCCESS. Send reminder and return to login page - if user: - email_debug_message(request) - send_fp_verification_email(user, request) - - messages.add_message(request, messages.INFO, success_message) - return redirect(request, 'mediagoblin.auth.login') - - -def verify_forgot_password(request): - """ - Check the forgot-password verification and possibly let the user - change their password because of it. - """ - # get form data variables, and specifically check for presence of token - formdata = _process_for_token(request) - if not formdata['has_token']: - return render_404(request) - - formdata_vars = formdata['vars'] - - # Catch error if token is faked or expired - try: - token = get_timed_signer_url("mail_verification_token") \ - .loads(formdata_vars['token'], max_age=10*24*3600) - except BadSignature: - messages.add_message( - request, - messages.ERROR, - _('The verification key or user id is incorrect.')) - - return redirect( - request, - 'index') - - # check if it's a valid user id - user = User.query.filter_by(id=int(token)).first() - - # no user in db - if not user: - messages.add_message( - request, messages.ERROR, - _('The user id is incorrect.')) - return redirect( - request, 'index') - - # check if user active and has email verified - if user.email_verified and user.status == 'active': - - cp_form = auth_forms.ChangePassForm(formdata_vars) - - if request.method == 'POST' and cp_form.validate(): - user.pw_hash = auth.gen_password_hash( - cp_form.password.data) - user.save() - - messages.add_message( - request, - messages.INFO, - _("You can now log in using your new password.")) - return redirect(request, 'mediagoblin.auth.login') - else: - return render_to_response( - request, - 'mediagoblin/auth/change_fp.html', - {'cp_form': cp_form,}) - - if not user.email_verified: - messages.add_message( - request, messages.ERROR, - _('You need to verify your email before you can reset your' - ' password.')) - - if not user.status == 'active': - messages.add_message( - request, messages.ERROR, - _('You are no longer an active user. Please contact the system' - ' admin to reactivate your accoutn.')) - - return redirect( - request, 'index') - - -def _process_for_token(request): - """ - Checks for tokens in formdata without prior knowledge of request method - - For now, returns whether the userid and token formdata variables exist, and - the formdata variables in a hash. Perhaps an object is warranted? - """ - # retrieve the formdata variables - if request.method == 'GET': - formdata_vars = request.GET - else: - formdata_vars = request.form - - formdata = { - 'vars': formdata_vars, - 'has_token': 'token' in formdata_vars} - - return formdata diff --git a/mediagoblin/plugins/basic_auth/__init__.py b/mediagoblin/plugins/basic_auth/__init__.py index 33a554b0..913ccba4 100644 --- a/mediagoblin/plugins/basic_auth/__init__.py +++ b/mediagoblin/plugins/basic_auth/__init__.py @@ -13,6 +13,8 @@ # # You should have received a copy of the GNU Affero General Public License # along with this program. If not, see . +import os + from mediagoblin.plugins.basic_auth import forms as auth_forms from mediagoblin.plugins.basic_auth import tools as auth_tools from mediagoblin.auth.tools import create_basic_user @@ -20,10 +22,26 @@ from mediagoblin.db.models import User from mediagoblin.tools import pluginapi from sqlalchemy import or_ +PLUGIN_DIR = os.path.dirname(__file__) + def setup_plugin(): config = pluginapi.get_config('mediagoblin.plugins.basic_auth') + routes = [ + ('mediagoblin.plugins.basic_auth.edit.pass', + '/edit/password/', + 'mediagoblin.plugins.basic_auth.views:change_pass'), + ('mediagoblin.plugins.basic_auth.forgot_password', + '/auth/forgot_password/', + 'mediagoblin.plugins.basic_auth.views:forgot_password'), + ('mediagoblin.plugins.basic_auth.verify_forgot_password', + '/auth/forgot_password/verify/', + 'mediagoblin.plugins.basic_auth.views:verify_forgot_password')] + + pluginapi.register_routes(routes) + pluginapi.register_template_path(os.path.join(PLUGIN_DIR, 'templates')) + def get_user(**kwargs): username = kwargs.pop('username', None) diff --git a/mediagoblin/plugins/basic_auth/forms.py b/mediagoblin/plugins/basic_auth/forms.py index 6cf01b38..e1d38668 100644 --- a/mediagoblin/plugins/basic_auth/forms.py +++ b/mediagoblin/plugins/basic_auth/forms.py @@ -44,3 +44,20 @@ class LoginForm(wtforms.Form): stay_logged_in = wtforms.BooleanField( label='', description=_('Stay logged in')) + + +class ForgotPassForm(wtforms.Form): + username = wtforms.TextField( + _('Username or email'), + [wtforms.validators.Required(), + normalize_user_or_email_field()]) + + +class ChangeForgotPassForm(wtforms.Form): + password = wtforms.PasswordField( + 'Password', + [wtforms.validators.Required(), + wtforms.validators.Length(min=5, max=1024)]) + token = wtforms.HiddenField( + '', + [wtforms.validators.Required()]) diff --git a/mediagoblin/templates/mediagoblin/auth/change_fp.html b/mediagoblin/plugins/basic_auth/templates/mediagoblin/plugins/basic_auth/change_fp.html similarity index 100% rename from mediagoblin/templates/mediagoblin/auth/change_fp.html rename to mediagoblin/plugins/basic_auth/templates/mediagoblin/plugins/basic_auth/change_fp.html diff --git a/mediagoblin/templates/mediagoblin/auth/forgot_password.html b/mediagoblin/plugins/basic_auth/templates/mediagoblin/plugins/basic_auth/forgot_password.html similarity index 100% rename from mediagoblin/templates/mediagoblin/auth/forgot_password.html rename to mediagoblin/plugins/basic_auth/templates/mediagoblin/plugins/basic_auth/forgot_password.html diff --git a/mediagoblin/templates/mediagoblin/auth/fp_verification_email.txt b/mediagoblin/plugins/basic_auth/templates/mediagoblin/plugins/basic_auth/fp_verification_email.txt similarity index 100% rename from mediagoblin/templates/mediagoblin/auth/fp_verification_email.txt rename to mediagoblin/plugins/basic_auth/templates/mediagoblin/plugins/basic_auth/fp_verification_email.txt diff --git a/mediagoblin/plugins/basic_auth/tools.py b/mediagoblin/plugins/basic_auth/tools.py index 1300bb9a..97393976 100644 --- a/mediagoblin/plugins/basic_auth/tools.py +++ b/mediagoblin/plugins/basic_auth/tools.py @@ -82,3 +82,36 @@ def fake_login_attempt(): randplus_hashed_pass = bcrypt.hashpw(hashed_pass, rand_salt) randplus_stored_hash == randplus_hashed_pass + + +EMAIL_FP_VERIFICATION_TEMPLATE = ( + u"{uri}?" + u"token={fp_verification_key}") + + +def send_fp_verification_email(user, request): + """ + Send the verification email to users to change their password. + + Args: + - user: a user object + - request: the request + """ + fp_verification_key = get_timed_signer_url('mail_verification_token') \ + .dumps(user.id) + + rendered_email = render_template( + request, 'mediagoblin/auth/fp_verification_email.txt', + {'username': user.username, + 'verification_url': EMAIL_FP_VERIFICATION_TEMPLATE.format( + uri=request.urlgen('mediagoblin.auth.verify_forgot_password', + qualified=True), + fp_verification_key=fp_verification_key)}) + + # TODO: There is no error handling in place + send_email( + mg_globals.app_config['email_sender_address'], + [user.email], + 'GNU MediaGoblin - Change forgotten password!', + rendered_email) + diff --git a/mediagoblin/plugins/basic_auth/views.py b/mediagoblin/plugins/basic_auth/views.py new file mode 100644 index 00000000..64defdad --- /dev/null +++ b/mediagoblin/plugins/basic_auth/views.py @@ -0,0 +1,180 @@ +# GNU MediaGoblin -- federated, autonomous media hosting +# Copyright (C) 2011, 2012 MediaGoblin contributors. See AUTHORS. +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . +from itsdangerous import BadSignature + +from mediagoblin import messages +from mediagoblin.db.models import User +from mediagoblin.plugins.basic_auth import forms, tools +from mediagoblin.tools.crypto import get_timed_signer_url +from mediagoblin.tools.mail import email_debug_message +from mediagoblin.tools.response import redirect, render_to_response, render_404 +from mediagoblin.tools.translate import pass_to_ugettext as _ + + +def forgot_password(request): + """ + Forgot password view + + Sends an email with an url to renew forgotten password. + Use GET querystring parameter 'username' to pre-populate the input field + """ + fp_form = forms.ForgotPassForm(request.form, + username=request.args.get('username')) + + if not (request.method == 'POST' and fp_form.validate()): + # Either GET request, or invalid form submitted. Display the template + return render_to_response(request, + 'mediagoblin/plugins/basic_auth/forgot_password.html', + {'fp_form': fp_form}) + + # If we are here: method == POST and form is valid. username casing + # has been sanitized. Store if a user was found by email. We should + # not reveal if the operation was successful then as we don't want to + # leak if an email address exists in the system. + found_by_email = '@' in fp_form.username.data + + if found_by_email: + user = User.query.filter_by( + email=fp_form.username.data).first() + # Don't reveal success in case the lookup happened by email address. + success_message = _("If that email address (case sensitive!) is " + "registered an email has been sent with " + "instructions on how to change your password.") + + else: # found by username + user = User.query.filter_by( + username=fp_form.username.data).first() + + if user is None: + messages.add_message(request, + messages.WARNING, + _("Couldn't find someone with that username.")) + return redirect(request, 'mediagoblin.auth.forgot_password') + + success_message = _("An email has been sent with instructions " + "on how to change your password.") + + if user and not(user.email_verified and user.status == 'active'): + # Don't send reminder because user is inactive or has no verified email + messages.add_message(request, + messages.WARNING, + _("Could not send password recovery email as your username is in" + "active or your account's email address has not been verified.")) + + return redirect(request, 'mediagoblin.user_pages.user_home', + user=user.username) + + # SUCCESS. Send reminder and return to login page + if user: + email_debug_message(request) + tools.send_fp_verification_email(user, request) + + messages.add_message(request, messages.INFO, success_message) + return redirect(request, 'mediagoblin.auth.login') + + +def verify_forgot_password(request): + """ + Check the forgot-password verification and possibly let the user + change their password because of it. + """ + # get form data variables, and specifically check for presence of token + formdata = _process_for_token(request) + if not formdata['has_token']: + return render_404(request) + + formdata_vars = formdata['vars'] + + # Catch error if token is faked or expired + try: + token = get_timed_signer_url("mail_verification_token") \ + .loads(formdata_vars['token'], max_age=10*24*3600) + except BadSignature: + messages.add_message( + request, + messages.ERROR, + _('The verification key or user id is incorrect.')) + + return redirect( + request, + 'index') + + # check if it's a valid user id + user = User.query.filter_by(id=int(token)).first() + + # no user in db + if not user: + messages.add_message( + request, messages.ERROR, + _('The user id is incorrect.')) + return redirect( + request, 'index') + + # check if user active and has email verified + if user.email_verified and user.status == 'active': + + cp_form = forms.ChangePassForm(formdata_vars) + + if request.method == 'POST' and cp_form.validate(): + user.pw_hash = tools.bcrypt_gen_password_hash( + cp_form.password.data) + user.save() + + messages.add_message( + request, + messages.INFO, + _("You can now log in using your new password.")) + return redirect(request, 'mediagoblin.auth.login') + else: + return render_to_response( + request, + 'mediagoblin/plugins/basic_auth/change_fp.html', + {'cp_form': cp_form}) + + if not user.email_verified: + messages.add_message( + request, messages.ERROR, + _('You need to verify your email before you can reset your' + ' password.')) + + if not user.status == 'active': + messages.add_message( + request, messages.ERROR, + _('You are no longer an active user. Please contact the system' + ' admin to reactivate your accoutn.')) + + return redirect( + request, 'index') + + +def _process_for_token(request): + """ + Checks for tokens in formdata without prior knowledge of request method + + For now, returns whether the userid and token formdata variables exist, and + the formdata variables in a hash. Perhaps an object is warranted? + """ + # retrieve the formdata variables + if request.method == 'GET': + formdata_vars = request.GET + else: + formdata_vars = request.form + + formdata = { + 'vars': formdata_vars, + 'has_token': 'token' in formdata_vars} + + return formdata -- 2.25.1